Security on the Web

Internet: Security on the Web

Security on the Web -- What are the Key Issues for Major Banks?

The age of digital technology -- email, Web-driven high-speed communication and information, online commerce, and more -- has been in place now for several years, and has been touted as a "revolutionary" technological breakthrough, and for good reason: This technology presents enormous new business opportunities. For example, by moving the key element of marketing and sales from local and regional strategies onto the global stage, and by providing dramatically improved customer convenience, the Web offers medium, small and large companies -- including banks -- unlimited growth potential.

That having been said, there are problems associated with online services, in particular online banking services, and security is at the top of the list of these issues. Some of the most serious security issues associated with Web-banking keep customers away from this technology, in fear of money being stolen and privacy taken away.

But indeed, there are solutions, in many cases, for banks that employ the latest security-related technologies; there are several successful strategies banks have embarked upon in regard to security for their customers who chose to use online services.

Introduction

The Internet's History: Before there could be online banking, of course there needed to be an Internet, and a World Wide Web. The story of the Internet begins shortly after the Soviets jolted the American scientific community by successfully launching the satellite Sputnik, in October, 1957. President Dwight Eisenhower quickly established the Advanced Research Projects Agency (ARPA) within the defense department, to bring together the best scientific minds in an attempt to counter the Soviets' technological breakthrough (not necessarily, as some reports have suggested, to ward off a nuclear attack). According to the Web site www.ibiblio.org (Internet Pioneers, 2004), the ARPA launched the ARPANET, later to become a computer-linked network for scientists and military experts.

From those early origins of the Internet development, Bob Metcalf (in 1973) invented Ethernet, and the mouse shortly thereafter was the brainchild of Douglas Englebart, leading up to 1974, when Vint Cerf ("the father of the Internet") wrote "a new protocol, TCP (Transmission Control Protocol), which was the catalyst to allow "various networks to connect into a true 'internet'," the article explains.

The World Wide Web (WWW) was founded in 1990, by Tim Berners-Lee, and by December, 1998, 26.2% of American households had the Internet hooked up for frequent use, according to the Department of Commerce (Petry, 2000).

As of today, there are approximately 185 million Americans with Internet access, and world-wide, an estimated 934 million individuals are online (http://www.clickz.com), according to Jupiterimages data gleaned from the Computer Industry Almanac.

Meanwhile, with this huge army of Internet users in place and believing in the power of cyberspace -- and most of them needing banking services of one kind or another -- the banking industry has been hustling to offer secure services since around 1995. The Royal Bank of Canada (RBC) reports that "The first national computer banking service in Canada, PC Banking, was rolled out ... In late 1996" (www.rbc.com 2004).

Now that nearly all banks offer services such as online bill payment, account management, loan applications and more, there are serious security breaches being reported, and while some customers are victims of online theft, other customers, justifiably, are extremely nervous. This paper will report on the various ways in which personal bank accounts -- and banks per se -- are being compromised by thieves. And, this paper will offer solutions for customers and banks when it comes to safety and security online, and to the protection of customer privacy.

Online Banking: The Problems, the Concerns, and the Possible Solutions

A very recent article from News Factor Network (Arnfield, 2005), published in Yahoo! News, provides some overall perspective on the present and future safety and security of online banking services. In the article, the high-visibility U.S. anti-virus company, McAfee, through its emergency response team, Avert, reports that around "50 new viruses -- of varying risk assessments -- were discovered every day during the first half of 2004."

Moreover, in 2004, the article continues, "the rise in viruses, worms, phishing, adware [advertising-supported software that infects computers] and vulnerability exploitation has surpassed what was noted in 2003," according to Avert's VP, Vincent Gulloto. These vulnerabilities are partly due, Gulloto asserts, to "a general lack of awareness in regard to adware ... " as well as hackers taking advantage of "a general lack of consumer awareness" regarding Internet attacks.

Meanwhile, an article in the American Banker reports on the results of a recent Federal Deposit Insurance Corporation (FDIC) survey, which found that "an estimated 1.98 million U.S. adult Internet users experienced an unauthorized transfer from their checking account ... " (Bergman 2004) in a 1-year period ending April, 2004. The survey also found that "unauthorized access to checking accounts was the fastest-growing ... " of the five types of consumer fraud Americans experienced in 2004.

Given these very recent data, the key question for today's banking institution and banking consumer should be: "How secure are your online banking services?" After careful research and analysis of the issues involved, the honest answer, in many cases, will be, "not very secure at all"; notwithstanding the fact that banks are trying their best to convince consumers that online banking is secure, the news is not good.

It is indeed surprising -- and disheartening -- to research the literature and learn that banks are very vulnerable to Internet crime, despite their slick marketing efforts to assure consumers that online accounts are safe. Moreover, it appears that every time the banking industry believes it has licked a particular security breach, the hackers and thieves out there in cyberspace devise another tool to beat the latest stopgap security measure employed by banks. And unless banks can stay ahead of these crafty scammers, consumers -- who had been expected to flock to online banking services in droves -- may be content to actually drive down to the bank to make their transactions and deposits, and to pay their bills the old-fashioned way: by "snail mail" or in person.

There is a great deal of literature available as back up to the position taken in the two preceding paragraphs. To wit, according to research conducted by the publication, The Banker (Skinner, 2004), " ... 57 million adults in the U.S. received a fraudulent email as of May 2004" connected with their online banking services, and the trends clearly show that unscrupulous Web thieves are getting "more and more sophisticated."

Those "fraudulent" emails are part of an online con game called "phishing," which is basically an email received which announces that "your account will be suspended unless you click here now," Skinner writes. An unsuspecting, unsophisticated consumer immediately clicks into "what looks like the bank's website," enters his login, password and his security settings "without realizing that all the details" are funneled into a hacker's computer -- and funds may well soon be stolen as a result.

Using information provided by the Anti-Phishing Working Group (APWG), Skinner writes that phishing attacks increased "50% a month" in the first half of 2004, with the principal targets being "banks, eBay, and PayPal." The phishing attacks are adding up to a staggering loss of $1.2 billion a year in Web-related fraud, Skinner concludes.

Where did the term "phishing" come from? There is a good explanation in the APWG's Web site (http://www.antiphishing.org): phishing comes from the "analogy that Internet scammers are using email lures to 'fish' for passwords and financial data" from the millions of Internet users around the globe. The term actually was launched in 1996, the APWG explains, by hackers who ripped off AOL dial-up account users back when the enthusiasm over having email technology tended to blind the new user to the danger posed by crooks who were lurking in the "alleyways" of cyberspace.

'Ph" is commonly used by hackers, APWG's site points out, as a replacement for "f" -- and "is a nod to the original form of hacking, known as 'phreaking', which was coined by the first hacker, John Draper (AKA, 'Captain Crunch')." (Draper reportedly invented hacking by breaking into telephone systems electronically in the early 1970s.)

Hackers became so adept at their trade that by 1997, "phish" were "actually being traded" as a form of hacker currency, the APWG report continues. Hackers would "routinely" trade ten "working AOL phish" for some form of hacking software they needed to continue their unscrupulous careers.

Another tool in the hands of the hackers and thieves is "script injection" -- which is a system where hackers insert "text frames in the official Web sites of banks," Skinner explains. The customer at home logged onto a laptop believes that the official details and designs on the bank's Web page on the computer screen are real -- when in fact some of that data have been inserted into the bank's Web pages by groups like "Gangs 'R' Us." Hence, the links available take the Internet user to pages of false information that allow the hacker to spy on and steal information from the user's account.

How significant is the scope of cyber security issues that face the banking industry? "This whole thing is gigantic ... we're deploying as many layers as we can," according to Bob Justus, supervisor of corporate information security at Union Bank of California (Grebb, 2003). "Bonnie and Clyde would have killed for today's technology," said Gary Jackson, CEO of Psynapse Technologies, a security group in Washington D.C.

Grebb's article in U.S. Banker alludes to another security breach, the "Slammer" worm virus, which temporarily paralyzed the ATM network for Bank of America -- and cause additional headaches "at corporations worldwide" -- in 2003. The very fact that computer networks are co-dependent, and fully linked, "has left banks more vulnerable than ever," Grebb explains. The threat of virus infestation is just one part of the grim reality of Internet crime; as Dan Ingevaldson of Internet Security Systems points out, in reference to the Bank of America "Slammer": "There we saw Internet worms go over to the mainstream ... [and] we don't think this trend is going to reverse itself."

Amy Toner, a security and privacy professional with PricewaterhouseCoopers, says "the attacks are becoming more sophisticated, but the sophistication level to execute them is very low." The seeming ease with which some of the computer viruses have been able to "temporarily cripple global networks" has sounded a "wake-up call," Grebb continues. And while it only takes one brainy hacker to write the code to break into a bank's network, "almost anyone can later unleash it ... "

The addition layer of concern now facing banking institutions is that federal regulators are requiring new and provable levels of security, better forms of customer identification and assurance of privacy protection for customers. Those regulations are found in the U.S.A. Patriot Act, and the Gramm-Leach-Bliley Act. And if banks don't comply with these regulations, there will be stiff penalties. And there will be continuing problems for banks seeking merely to obtain "sufficient security"; because, as Bob Anderson of Benchmark Data states in the Grebb article: "Bad guys know exactly what sufficient security is, and they can exploit that in a heartbeat."

Another menace to banking interests that offer online services is the so-called "keylogger" (AKA "Trojan Horse"), which arrives in the bank customer's computer looking like an innocent email from the bank, but is instead an insidious phishing expedition. Often the email will ask the customer to "please install our special software," explaining that the software will clean the customer's computer, or support other bank functions.

However, once the unsuspecting computer user has clicked on the email, the keylogger burrows into the user's files and "can save records for every bank or brokerage or retailer the customer visits" (Wolfe, 2004), according to a piece in American Banker. That simple email to a customer, posed as being from Bank One, for example, could install a program into the user's computer "that could enable the sender to drain an account at any financial institution."

Wolfe's article quotes Avivah Litan, a VP and research analyst at Gartner Inc., as saying that the perpetrators of these keylogger and phishing attacks come from a "loosely organized crime ring," and are "usually a crime ring of people who get together, and they have a plot." And these "loosely organized" crime groups are learning that their spoofed Web site / keylogger attacks are harder to discover when they move "offshore ... often to Asia or Eastern Europe," according to David Jevens, APWG chairman, quoted by Wolfe.

It can take more than eight days to tear down an imposter Web site offshore, but a bogus U.S.-hosted site can be deleted the same day it is discovered, Jevens asserts. But even shutting down a Web site that sends out keyloggers doesn't solve the problem for banks, Wolfe writes, because "every infected computer puts its uses at risk." Indeed, many users are not aware that they have become a keylogger victim until "long after their accounts have been emptied."

More "worrisome" than the dreaded keyloggers is the new potential threat that Jevens says is just around the corner: the "hijacking" of the domain name system (DNS). If a hacker or a phisher can steal the DNS from a bank customer, for example, the communication between the customer and the bank's Web servers would be intercepted, and traffic between the customer and the bank's Web server could be redirected to "an imposter site," and thereafter record the victim's logging on patters to the fake site.

And while the consumer may be wondering "why the genuine site seems to be down, the phishers would be busy transferring funds from the account," Wolfe continues, drawing information from Jevens.

Though Jevens adds that "Hijacking's just a theory right now," and it has not been detected in banking online services, this is an example of what banks should be paying attention to, and hiring cutting-edge experts to build preventative systems for. Rather than wait until they have been attacked, alert, visionary bank security officials should become far more proactive, and put systems in place anticipating the next generation of attack.